Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / ae1a4a47226f02c0f2ffc3edd9e5e68d49f861e5 / . / charts / cert-manager-webhook-pcloud / templates / rbac.yaml
blob: c3d84059625c22df1898a81449da26b6d2e983a7 [file] [log] [blame]
Giorgi Lekveishviliae1a4a42023-12-07 13:23:17 +0400[diff] [blame^]1apiVersion: v1
2kind: ServiceAccount
3metadata:
4 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
5 namespace: {{ .Values.certManager.namespace | quote }}
6 labels:
7 app: {{ include "cert-manager-webhook-pcloud.name" . }}
8 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
9 release: {{ .Release.Name }}
10 heritage: {{ .Release.Service }}
11---
12# Grant the webhook permission to read the ConfigMap containing the Kubernetes
13# apiserver's requestheader-ca-certificate
14# This ConfigMap is automatically created by the Kubernetes apiserver
15apiVersion: rbac.authorization.k8s.io/v1
16kind: RoleBinding
17metadata:
18 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:webhook-authentication-reader
19 namespace: kube-system
20 labels:
21 app: {{ include "cert-manager-webhook-pcloud.name" . }}
22 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
23 release: {{ .Release.Name }}
24 heritage: {{ .Release.Service }}
25roleRef:
26 apiGroup: rbac.authorization.k8s.io
27 kind: Role
28 name: extension-apiserver-authentication-reader
29subjects:
30 - apiGroup: ""
31 kind: ServiceAccount
32 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
33 namespace: {{ .Values.certManager.namespace | quote }}
34---
35# apiserver gets the auth-delegator role to delegate auth decisions to
36# the core apiserver
37apiVersion: rbac.authorization.k8s.io/v1
38kind: ClusterRoleBinding
39metadata:
40 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:auth-delegator
41 labels:
42 app: {{ include "cert-manager-webhook-pcloud.name" . }}
43 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
44 release: {{ .Release.Name }}
45 heritage: {{ .Release.Service }}
46roleRef:
47 apiGroup: rbac.authorization.k8s.io
48 kind: ClusterRole
49 name: system:auth-delegator
50subjects:
51 - apiGroup: ""
52 kind: ServiceAccount
53 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
54 namespace: {{ .Values.certManager.namespace | quote}}
55---
56# Grant cert-manager permission to validate using our apiserver
57apiVersion: rbac.authorization.k8s.io/v1
58kind: ClusterRole
59metadata:
60 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
61 labels:
62 app: {{ include "cert-manager-webhook-pcloud.name" . }}
63 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
64 release: {{ .Release.Name }}
65 heritage: {{ .Release.Service }}
66rules:
67 - apiGroups:
68 - {{ .Values.groupName }}
69 resources:
70 - "*"
71 verbs:
72 - "create"
73---
74apiVersion: rbac.authorization.k8s.io/v1
75kind: ClusterRoleBinding
76metadata:
77 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
78 labels:
79 app: {{ include "cert-manager-webhook-pcloud.name" . }}
80 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
81 release: {{ .Release.Name }}
82 heritage: {{ .Release.Service }}
83roleRef:
84 apiGroup: rbac.authorization.k8s.io
85 kind: ClusterRole
86 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:domain-solver
87subjects:
88 - apiGroup: ""
89 kind: ServiceAccount
90 name: {{ .Values.certManager.serviceAccountName }}
91 namespace: {{ .Values.certManager.namespace | quote }}
92---
93apiVersion: rbac.authorization.k8s.io/v1
94kind: Role
95metadata:
96 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
97 namespace: {{ .Values.certManager.namespace | quote }}
98rules:
99 - apiGroups:
100 - ""
101 resources:
102 - "secrets"
103 resourceNames:
104 - "pcloud-credentials"
105 verbs:
106 - "get"
107 - "watch"
108---
109apiVersion: rbac.authorization.k8s.io/v1
110kind: RoleBinding
111metadata:
112 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
113 namespace: {{ .Values.certManager.namespace | quote }}
114roleRef:
115 apiGroup: rbac.authorization.k8s.io
116 kind: Role
117 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:secret-reader
118subjects:
119 - apiGroup: ""
120 kind: ServiceAccount
121 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
122 namespace: {{ .Values.certManager.namespace | quote }}
123{{- if .Values.features.apiPriorityAndFairness }}
124---
125# Grant cert-manager-webhook-pcloud permission to read the flow control mechanism (APF)
126# API Priority and Fairness is enabled by default in Kubernetes 1.20
127# https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
128apiVersion: rbac.authorization.k8s.io/v1
129kind: ClusterRole
130metadata:
131 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
132 labels:
133 app: {{ include "cert-manager-webhook-pcloud.name" . }}
134 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
135 release: {{ .Release.Name }}
136 heritage: {{ .Release.Service }}
137rules:
138 - apiGroups:
139 - "flowcontrol.apiserver.k8s.io"
140 resources:
141 - "prioritylevelconfigurations"
142 - "flowschemas"
143 verbs:
144 - "list"
145 - "watch"
146---
147apiVersion: rbac.authorization.k8s.io/v1
148kind: ClusterRoleBinding
149metadata:
150 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
151 labels:
152 app: {{ include "cert-manager-webhook-pcloud.name" . }}
153 chart: {{ include "cert-manager-webhook-pcloud.chart" . }}
154 release: {{ .Release.Name }}
155 heritage: {{ .Release.Service }}
156roleRef:
157 apiGroup: rbac.authorization.k8s.io
158 kind: ClusterRole
159 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}:flowcontrol-solver
160subjects:
161 - apiGroup: ""
162 kind: ServiceAccount
163 name: {{ include "cert-manager-webhook-pcloud.fullname" . }}
164 namespace: {{ .Values.certManager.namespace | quote }}
165{{- end }}